Data Protection Basics
Who is responsible for data protection at St Christopher’s School?
A). Data Compliance Officer; B). IT Department; C). Teachers; D). All staff
D). All staff
What does the acronym GDPR stand for?
General Data Protection Regulations
What is the name of the data protection authority in Bahrain?
Marketing@abcbank.com
This is an example of personal data.
True or false?
False
A school holds on to the personal data of all former students indefinitely, even when it no longer needs the data for any educational purpose. Which data protection principle is being violated?
A). Purpose limitation; B). Storage limitation, C). Accuracy, D). Lawfulness, fairness, and transparency
B). Storage limitation
When should we monitor and protect personal data during the School year?
A). At the start of the year
B). At the end of the year
C). Ongoing, throughout the year
D). Whenever a data breach occurs
C). Ongoing, throughout the year
A parent of a student named Emily requests to see all the personal data the School holds about Emily (including her grades, attendance records, health / disciplinary information). Which data subject right is Emily’s parent exercising?
A). Right to erasure; B). Right to rectification; C). Right of access; D). Right to object
C). Right of access
Do all data breaches need to be reported to the Authority?
No. Only breaches likely to result in a risk to the rights and freedoms of natural persons need to be reported to the Authority. But all data breaches must be recorded internally (including a record of how the breach was assessed).
CCTV footage is an example of personal data.
True or false?
True
A school stores students' personal data, including health records, in an online system. However, the system lacks security measures, making it easy for unauthorized users to access sensitive information. Which data protection principle is the school violating?
A). Integrity and confidentiality; B). Data minimisation; C). Purpose limitation; D). Accuracy
A). Integrity and confidentiality
Does data protection law apply to hard copy or electronic records?
Applies to both hard copy and electronic records (any records which are maintained in a 'filing system')
This is a form of social engineering and a scam, where attackers deceive people into revealing sensitive information, or installing malware on their devices. What is this process called?
Phishing
How many hours do we have to report a data breach to the Authority?
A). 24 hours; B). 36 hours; C). 48 hours; D). 72 hours
D). 72 hours
Anonymous customer feedback survey is an example of personal data.
True or false?
False
A school collects students’ personal data, such as names, addresses, and health information, when they enrol. However, the School does not inform the parents about how the data will be used or that it will be shared with third-party vendors. Which data protection principle is the school violating?
A). Integrity and confidentiality; B). Purpose limitation; C). Lawfulness, fairness, and transparency, D). Data minimisation
C). Lawfulness, fairness, and transparency
Does simply being able to access the data (data accessible to you on your drive / in your possession) also fall under the definition of ‘processing personal data’?
A). Yes; B). No
Yes!
These are small text files that websites place on your device as you are browsing. They are the primary tool that advertisers use to track your online activity so that they can target you with highly specific ads. What are these files called?
Cookies
This American whistle blower and former NSA intelligence contractor leaked classified documents revealing the existence of mass surveillance programs in the US in 2013.
Edward Snowden
Location data is an example of personal data.
True or false?
True
A school asks for the names, home addresses, phone numbers, and detailed family income records of all students applying for a scholarship. However, only the students’ grades and household income range are necessary for the scholarship application. Which data protection principle is the school violating?
A). Accuracy; B). Integrity and confidentiality; C).
Data minimisation; D). Storage limitation
C). Data minimisation
What does the acronym PDPL stand for?
Personal Data Protection Law
The process of converting information / data into a code that only authorised parties can decode. This is an example of a security control that can be applied to personal data. What is the process called?
Encryption
In 2023, the Irish Data Protection Commission imposed a historic fine of €1.2 billion on this US technology social media company for transferring personal data of European users to the US without adequate data protection mechanisms. I bet they didn't 'like' that much!
Meta / formerly known as Facebook
Provide 3 examples of sensitive personal data.
Examples could include: Race / ethnic origin, nationality, religion, political / philosophical beliefs, trade union memberships, health data, criminal data, biometric data, etc.
A school collects students' information for the purpose of managing class schedules. Later, without informing parents, the school decides to use the same data for targeted advertising for an upcoming fundraiser. Which data protection principle is being violated?
A). Accuracy; B). Purpose limitation; C). Data minimisation; D). Storage limitation
B). Purpose limitation